1
00:00:02,760 --> 00:00:04,170
i'm dr mike murphy

2
00:00:05,940 --> 00:00:08,160
in this video i'm going to introduce

3
00:00:08,189 --> 00:00:11,490
ip tables which is the user space

4
00:00:11,490 --> 00:00:14,490
interface to the linux kernel firewall

5
00:00:16,530 --> 00:00:19,140
i'll begin by discussing the network layer

6
00:00:19,170 --> 00:00:21,240
at the oh esi model and explain

7
00:00:21,240 --> 00:00:23,790
why the firewall doesn't work entirely at

8
00:00:23,790 --> 00:00:27,090
the network layer describes and purposes of

9
00:00:27,090 --> 00:00:29,940
a firewall present an overview of i

10
00:00:29,940 --> 00:00:32,340
b tables and then i'll conclude by

11
00:00:32,340 --> 00:00:34,980
discussing the future of linux firewalls

12
00:00:39,540 --> 00:00:44,370
since firewalls deal with routing and filtering

13
00:00:44,370 --> 00:00:47,610
packets and routing in the general case

14
00:00:47,610 --> 00:00:49,500
occurs at layer three of the oh

15
00:00:49,500 --> 00:00:51,450
esi model in the network layer

16
00:00:52,800 --> 00:00:55,290
one would assume that a firewall would

17
00:00:55,290 --> 00:00:58,890
operate primarily in the network layer now

18
00:00:58,920 --> 00:01:01,020
recall that the network layer works in

19
00:01:01,020 --> 00:01:04,560
units of datagrams or packets and so

20
00:01:04,560 --> 00:01:06,510
we would assume that the firewall would

21
00:01:06,510 --> 00:01:09,750
operate on those datagrams and be part

22
00:01:10,050 --> 00:01:11,070
of layer three

23
00:01:13,830 --> 00:01:16,080
in reality however in order to make

24
00:01:16,110 --> 00:01:17,940
a firewall comprehensive

25
00:01:19,200 --> 00:01:22,710
it's typically necessary to consider components of

26
00:01:22,710 --> 00:01:26,790
the protocols other than simply the layer

27
00:01:26,790 --> 00:01:27,810
three protocol

28
00:01:29,130 --> 00:01:32,280
as the functionality of the firewall increases

29
00:01:32,610 --> 00:01:35,520
the number of layers involved in implementing

30
00:01:35,520 --> 00:01:38,310
the firewall also goes up

31
00:01:39,750 --> 00:01:42,840
so it's not uncommon these days for

32
00:01:42,840 --> 00:01:44,940
a firewall certainly to operate at the

33
00:01:44,940 --> 00:01:47,490
network layer but also to have some

34
00:01:47,490 --> 00:01:49,320
interfaces to be able to operate the

35
00:01:49,320 --> 00:01:52,140
transport layer be able to perform some

36
00:01:52,140 --> 00:01:55,500
data link layer matching and management and

37
00:01:55,500 --> 00:01:57,720
even perform a little bit of application

38
00:01:57,720 --> 00:01:59,520
layer trickery

39
00:01:59,520 --> 00:02:02,790
three so to speak to help make

40
00:02:02,790 --> 00:02:06,750
certain applications traverse the firewall in a

41
00:02:06,750 --> 00:02:07,680
correct way

42
00:02:11,460 --> 00:02:14,490
so i mentioned that two main functions

43
00:02:14,490 --> 00:02:16,440
of a firewall are to protect the

44
00:02:16,440 --> 00:02:20,430
host system from unauthorized connections so the

45
00:02:20,430 --> 00:02:21,630
idea here is that we're going to

46
00:02:21,630 --> 00:02:24,330
block connections to services that we do

47
00:02:24,330 --> 00:02:27,030
not want to be made public we

48
00:02:27,030 --> 00:02:29,040
also may want to restrict connections

49
00:02:29,130 --> 00:02:31,890
to certain ip address ranges we can

50
00:02:31,890 --> 00:02:34,980
also restrict connections based on mac addresses

51
00:02:35,400 --> 00:02:37,800
we can restrict connections based on other

52
00:02:37,800 --> 00:02:39,030
criteria as well

53
00:02:40,890 --> 00:02:43,440
when we're not restricting connections the other

54
00:02:43,440 --> 00:02:45,360
thing we're concerned with and a firewall

55
00:02:45,690 --> 00:02:49,080
is rewriting packet headers to route packets

56
00:02:49,080 --> 00:02:52,530
between networks and so the firewall is

57
00:02:52,530 --> 00:02:56,070
part of the system that enables machine

58
00:02:56,070 --> 00:02:57,840
to function as a network router it's

59
00:02:57,840 --> 00:03:00,240
not all of the but it's a

60
00:03:00,240 --> 00:03:03,030
a part of the component that will

61
00:03:03,030 --> 00:03:04,890
enable us to function as a router

62
00:03:05,490 --> 00:03:08,430
and in fact most consumer and business

63
00:03:08,430 --> 00:03:11,070
router devices the devices you might buy

64
00:03:11,070 --> 00:03:13,440
at a big box store online are

65
00:03:13,440 --> 00:03:16,230
really just small computers running firewalls with

66
00:03:16,230 --> 00:03:18,510
routing capabilities and a little bit of

67
00:03:18,510 --> 00:03:19,440
other software

68
00:03:23,070 --> 00:03:26,220
now firewalls can implement advanced features and

69
00:03:26,220 --> 00:03:29,970
in fact many firewalls do it is

70
00:03:29,970 --> 00:03:32,910
not uncommon these days for example for

71
00:03:32,910 --> 00:03:35,310
the firewalls to implement capability for network

72
00:03:35,310 --> 00:03:39,090
address translation and doing nap properly is

73
00:03:39,090 --> 00:03:40,440
actually one of the reasons why the

74
00:03:40,440 --> 00:03:40,560
for

75
00:03:40,560 --> 00:03:43,530
firewall typically has to operate at layers

76
00:03:43,530 --> 00:03:46,440
other than just the network layer and

77
00:03:46,470 --> 00:03:49,440
it's not uncommon firewall these firewall products

78
00:03:49,440 --> 00:03:51,570
these days implement some type of quality

79
00:03:51,570 --> 00:03:52,410
of service

80
00:03:53,550 --> 00:03:56,970
additional capabilities do increase the complexity of

81
00:03:56,970 --> 00:03:59,520
the firewall implementation and make it a

82
00:03:59,520 --> 00:04:01,740
bit harder to configure because the complexity

83
00:04:01,740 --> 00:04:03,540
of the configuration also goes up

84
00:04:06,690 --> 00:04:09,780
now in linux we have ip tables

85
00:04:09,780 --> 00:04:11,179
and what i p tables as is

86
00:04:11,182 --> 00:04:15,090
it's actually the userspace interface to a

87
00:04:15,090 --> 00:04:17,550
built in system inside the linux kernel

88
00:04:17,550 --> 00:04:21,510
or built in subsystem called netfilter and

89
00:04:21,510 --> 00:04:24,360
netfilter is what actually implements the firewall

90
00:04:24,360 --> 00:04:24,720
and route

91
00:04:24,810 --> 00:04:28,080
capabilities within the kernel and in enables

92
00:04:28,140 --> 00:04:30,750
any linux machine or device to act

93
00:04:30,750 --> 00:04:32,880
as a firewall and or is a

94
00:04:32,880 --> 00:04:33,390
router

95
00:04:34,710 --> 00:04:37,440
by convention ip tables is always written

96
00:04:37,440 --> 00:04:40,440
in lower case since the command ip

97
00:04:40,440 --> 00:04:42,929
tables that we would run is an

98
00:04:42,929 --> 00:04:46,080
entirely lower case command and commands in

99
00:04:46,080 --> 00:04:48,030
linux or of course case sensitive

100
00:04:50,010 --> 00:04:51,210
so if we look at how ip

101
00:04:51,210 --> 00:04:55,650
tables works this diagram is pretty comprehensive

102
00:04:56,280 --> 00:05:00,660
and basically ip tables consists of several

103
00:05:00,660 --> 00:05:03,270
components so we have the routing component

104
00:05:03,750 --> 00:05:05,880
which all packets go through as they

105
00:05:05,880 --> 00:05:07,980
come into the firewall and as they

106
00:05:07,980 --> 00:05:09,360
leave through the fire

107
00:05:09,360 --> 00:05:09,660
well

108
00:05:10,830 --> 00:05:13,560
we have an inbound firewall component on

109
00:05:13,560 --> 00:05:17,250
the host and an outbound firewall component

110
00:05:17,280 --> 00:05:18,120
on the host

111
00:05:19,260 --> 00:05:22,200
now the communication with the network and

112
00:05:22,200 --> 00:05:25,260
the host application is performed using what's

113
00:05:25,260 --> 00:05:27,600
called a network socket this is an

114
00:05:27,600 --> 00:05:31,170
interface that an application can use to

115
00:05:31,170 --> 00:05:33,960
access network resources from the system

116
00:05:35,190 --> 00:05:37,890
when data leave to the socket they

117
00:05:37,890 --> 00:05:39,720
get put into packets as they work

118
00:05:39,720 --> 00:05:41,370
their way up the oh sie model

119
00:05:41,370 --> 00:05:44,580
to the network layer and when packets

120
00:05:44,580 --> 00:05:46,710
come in that are eventually destined for

121
00:05:46,710 --> 00:05:49,890
the host application they traverse through the

122
00:05:49,890 --> 00:05:53,310
firewall in order to get their and

123
00:05:53,340 --> 00:05:55,200
the firewall contains a number

124
00:05:55,200 --> 00:05:58,080
if tables and a number of chains

125
00:05:58,080 --> 00:06:02,220
that operate within each table and that's

126
00:06:02,280 --> 00:06:06,240
actually what makes the linux firewall work

127
00:06:06,270 --> 00:06:08,040
and i'll talk more in detail about

128
00:06:08,040 --> 00:06:09,240
this in another lecture

129
00:06:11,730 --> 00:06:12,750
so if we look at how we

130
00:06:12,750 --> 00:06:15,150
configure ip tables are several ways to

131
00:06:15,150 --> 00:06:17,340
do it in my lectures in my

132
00:06:17,340 --> 00:06:19,110
demonstrations i'm gonna show you how to

133
00:06:19,110 --> 00:06:21,810
do it manually using command line tools

134
00:06:22,380 --> 00:06:24,450
this is the universal way to configure

135
00:06:24,450 --> 00:06:26,370
the firewall by hand this will work

136
00:06:26,370 --> 00:06:28,980
on any distribution of linux and it

137
00:06:28,980 --> 00:06:30,420
will work on a

138
00:06:30,480 --> 00:06:33,480
the whole wide variety of different devices

139
00:06:33,480 --> 00:06:34,710
and a whole bunch of different use

140
00:06:34,710 --> 00:06:38,220
cases there are however different front ends

141
00:06:38,220 --> 00:06:39,870
that can be used to configure ip

142
00:06:39,870 --> 00:06:43,170
tables firewalls firewall d which is the

143
00:06:43,170 --> 00:06:45,960
default on centos seven will actually be

144
00:06:45,960 --> 00:06:47,670
disabling it in order to use ib

145
00:06:47,670 --> 00:06:50,640
tables directly their sure wall file

146
00:06:50,640 --> 00:06:53,280
firestarter u f w and a whole

147
00:06:53,280 --> 00:06:54,360
bunch of others

148
00:06:56,670 --> 00:06:58,830
now as far as ip tables goes

149
00:06:58,890 --> 00:07:02,340
there is another project called nf tables

150
00:07:02,340 --> 00:07:05,340
it's actually by the same group that

151
00:07:05,490 --> 00:07:07,770
that makes the netfilter and maintains the

152
00:07:07,770 --> 00:07:09,630
netfilter subsystem in the colonel

153
00:07:10,830 --> 00:07:12,750
and so the netfilter project has created

154
00:07:12,752 --> 00:07:15,390
enough tables and it's position to be

155
00:07:15,390 --> 00:07:17,820
a replacement for ip tables quote unquote

156
00:07:17,820 --> 00:07:18,690
real soon now

157
00:07:20,040 --> 00:07:21,300
when the reason why i say quote

158
00:07:21,300 --> 00:07:23,040
unquote real soon now is because it

159
00:07:23,040 --> 00:07:26,910
uses a totally different configuration syntax and

160
00:07:26,970 --> 00:07:29,460
it's actually not very well documented right

161
00:07:29,460 --> 00:07:33,390
now so until the documentation catches up

162
00:07:33,420 --> 00:07:36,690
with the the need for the certain

163
00:07:36,690 --> 00:07:39,659
capabilities of linux firewall it's going to

164
00:07:39,659 --> 00:07:40,080
be some

165
00:07:40,124 --> 00:07:43,200
time before nf tables sees widespread adoption

166
00:07:44,190 --> 00:07:47,250
that said as of september twenty seventeen

167
00:07:47,250 --> 00:07:49,050
the debbie and wiki is claiming enough

168
00:07:49,050 --> 00:07:51,690
tables is actually ready for production use

169
00:07:52,320 --> 00:07:53,910
the arch wiki however is a bit

170
00:07:53,910 --> 00:07:56,850
less bullish about that it's much more

171
00:07:56,850 --> 00:07:59,550
conservative which is a little bit surprising

172
00:07:59,550 --> 00:08:00,240
because arch

173
00:08:00,300 --> 00:08:03,540
linux is considered a bleeding edge distribution

174
00:08:03,540 --> 00:08:05,940
while debian is considered a rock solid

175
00:08:05,940 --> 00:08:08,700
stable distribution so one would expect those

176
00:08:08,700 --> 00:08:10,890
roles to be reversed and what that

177
00:08:10,890 --> 00:08:13,290
tells me is that right now enough

178
00:08:13,290 --> 00:08:16,590
tables isn't quite ready partly because the

179
00:08:16,590 --> 00:08:19,920
enough tables maintainers haven't gone through and

180
00:08:20,160 --> 00:08:20,400
may

181
00:08:20,460 --> 00:08:23,070
enough documentation for how their system works

182
00:08:23,580 --> 00:08:25,410
so the loan in the short of

183
00:08:25,410 --> 00:08:27,570
it is it's likely that ip tables

184
00:08:27,570 --> 00:08:29,160
is going to be available for quite

185
00:08:29,160 --> 00:08:32,909
some time even as enough tables matures

186
00:08:33,360 --> 00:08:35,967
ended the transition from ip tables to

187
00:08:35,970 --> 00:08:39,900
nf tables will be fairly slow so

188
00:08:40,230 --> 00:08:40,559
with all

189
00:08:40,559 --> 00:08:42,059
all that in mind in the next

190
00:08:42,059 --> 00:08:44,010
set of lectures and next set of

191
00:08:44,010 --> 00:08:46,230
demonstrations i'm going to show you how

192
00:08:46,230 --> 00:08:49,020
ip tables works and how to configure

193
00:08:49,110 --> 00:08:51,420
firewall and routing capabilities